Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
Whatās a honeypot what what itās purposeĀ ?
Itās basically a computer or Virtual Machine emulating some services (ex: ssh, ftp, telnet, netbios, https, samba server etc) and accepting, logging and sending warnings of all incoming connections. You can use it as intrusion detection or early warning system but it also might go a little further and allow one to get inside the intruders āheadā since you get to log every interaction.
How and where should it beĀ placed?
Letās start with āwhereā. I usually place them in specific areas to get an idea how/or if the network is tested from outside or inside. So I have about three major areas; behind firewalls, in āsensible zonesā where only pre-defined machines should have access and in the āpublic zoneā such as administrative/general network.
Placing a honeypot behind firewalls/āsensible zonesā will ensure that the firewall is doing itās and if you get a hit that means you have a miss-configurations or a serious intrusion. Honeypots placed in the āpublic zoneā will give you a glimpse if you have some outsider skimming your network, an inside threat or just a very network-enthusiastic co-workerā¦ to put itĀ mildly.
How to place it? This answer can be split in two parts, hardware and timeline.
- Since the minimum hardware requirements are very low Virtual Machines are the best option. 1 vCPU and 512 RAM will be enough for each instance.
- Timeline; If you have the resources (basically mature security team with proper tools) then all of them at the same time. If not, deploying the honeypots from the most to the least secure zones in the network is recommended. In the most secure zone you should have no events at all where as in the least you might get a couple, his approach will give some time to understand eventual breaches and mature responses. (opposite to having lots of hits all across the network and spreading resources in order to understand whatās happening)
Which software and how to installĀ it?
A very simple honeypot is opencanary. Itās freeware, it emulates windows/linux server, as well as mysqlServer, ftp, ssh, I can generate events to syslog files, log file and via email. Usually I ran it on an Ubuntu Server with 1vCpu andĀ 512ram.
- Install Ubuntu server version and make all the securityĀ updates.
- Install necessary libs and theĀ honeypot
$ sudo apt-get install python-dev python-pip python-virtualenv$ virtualenv env/$ . env/bin/activate$ pip install opencanary$ sudo apt-get install -y build-essential libssl-dev libffi-dev python-dev$ pip install rdpy
3. Finally run it for the first time (default configuration)
$ . env/bin/activate$ opencanaryd --copyconfig$ opencanaryd --start
Edit the file /.opencanary.confand set the this line "http.enabled":true and restart the service with the command: opencanaryd --restart This will enable the http server. Now point your browser to http://your-ip-addr and check your brand new Synology RackStation!
Try your luck by logging In with some commonly used user/passwords. Now check some opencanary logs in the file /var/tmp/opencanary.log
Synology network admin panel (or at least presented likeĀ it)opencanary logĀ file
Pretty interesting humm? Timestamp, user/pass tries, ip addressesā¦
Edit the configuration!
Now letās create some services so the honeypot gets really sweet. Edit the configuration file /.opencanary.conf
{ "device.node_id": "HoneyPot-ServerName-Good-idea-to-change-it", "git.enabled": false, "git.port" : 9418, "ftp.enabled": true, "ftp.port": 21, "ftp.banner": "FTP server ready", "http.banner": "Apache/2.2.22 (Ubuntu)", "http.enabled": true, "http.port": 80, "http.skin": "nasLogin", "http.skin.list": [ { "desc": "Plain HTML Login", "name": "basicLogin" }, { "desc": "Synology NAS Login", "name": "nasLogin" } ], "httpproxy.enabled" : false, "httpproxy.port": 8080, "httpproxy.skin": "squid", "httproxy.skin.list": [ { "desc": "Squid", "name": "squid" }, { "desc": "Microsoft ISA Server Web Proxy", "name": "ms-isa" } ], "logger": { "class": "PyLogger", "kwargs": { "formatters": { "plain": { "format": "%(message)s" } }, "handlers": { "console": { "class": "logging.StreamHandler", "stream": "ext://sys.stdout" }, "file": { "class": "logging.FileHandler", "filename": "/var/tmp/opencanary.log" } } } }, "portscan.enabled": false, "portscan.logfile":"/var/log/kern.log", "portscan.synrate": 5, "portscan.nmaposrate": 5, "portscan.lorate": 3, "smb.auditfile": "/var/log/samba-audit.log", "smb.enabled": false, "mysql.enabled": false, "mysql.port": 3306, "mysql.banner": "5.5.43-0ubuntu0.14.04.1", "ssh.enabled": true, "ssh.port": 22, "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4", "redis.enabled": false, "redis.port": 6379, "rdp.enabled": false, "rdp.port": 3389, "sip.enabled": false, "sip.port": 5060, "snmp.enabled": false, "snmp.port": 161, "ntp.enabled": false, "ntp.port": "123", "tftp.enabled": false, "tftp.port": 69, "tcpbanner.maxnum":10, "tcpbanner.enabled": false, "tcpbanner_1.enabled": false, "tcpbanner_1.port": 8001, "tcpbanner_1.datareceivedbanner": "", "tcpbanner_1.initbanner": "", "tcpbanner_1.alertstring.enabled": false, "tcpbanner_1.alertstring": "", "tcpbanner_1.keep_alive.enabled": false, "tcpbanner_1.keep_alive_secret": "", "tcpbanner_1.keep_alive_probes": 11, "tcpbanner_1.keep_alive_interval":300, "tcpbanner_1.keep_alive_idle": 300, "telnet.enabled": true, "telnet.port": "23", "telnet.banner": "", "telnet.honeycreds": [ { "username": "admin", "password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA" }, { "username": "admin", "password": "admin1" } ], "mssql.enabled": false, "mssql.version": "2012", "mssql.port":1433, "vnc.enabled": false, "vnc.port":5000}
The above configuration basically enables the http Server, the ftp service, telnet and ssh services. Itās really recommended to change the node ID to something more realā¦.donāt forget to do the same for the machine hostname! All the logging goes to /var/tmp/opencanary.log. As seen of the configuration file lots of services can be enabled and and played with. If youāll monitor the VM via SSH make sure to change the ssh port, either in the ssh deamon or in the opencanary.
How to deploy honeypots in your network was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.