Contents

Creating a Honeypot Network: It's time to plan

Introduction

How cool would it to have access to a vast collection of honeypots, collecting statistics on attack trends, new techniques and targeted hot spots!

Imagine if you could be like, oh daymm, that new PulseVPN vulnerability is pretty bad, I wonder if it’s being actively exploited? Let’s see…

1
curl https://securitynotsupported.com/honeypot/deploy?type=pulsevpn?location=china,london,washington

wait’s 3 days… Huh, yea it is. Neat!

I’ve started a project called HoneypotDB, the plan is to build a global network of VMs hosting a range of honeypot types, as well as some specific honeypots for newly released exploits and vulnerabilities like BlueKeep or web application exploits.

I’ll probably end up making the collected data available through a web interface on https://honeypotdb.com, and a nifty API at https://honeypotdb.com/api. Soon™

Let’s do this

So one of the first things I do when starting a project is spend about £20 on VMs, clone a bunch on git repos, test them, get excited, build everything in 6 hours, goto bed at 4AM and then never touch it again.

But I’ve already done that, so let’s crack on with building it for real.

Requirements

I want HoneypotDB to have the following minimum requirements:

  • At least 1 Honeypot VM in 6 different counties
    • As a minimum, host 6 honeypots for: SSH, FTP, telnet and MySQL
  • Be easily deployed via a bash script or remotely via Ansible
  • Be able to be deployed in OpenVZ containers (Because they’re CHEAP AF)
  • But also be able to be deployed using docker inside a KVM VM, because docker is neat
  • Log all collected data to an elasticSearch cluster for indexing and storage
  • Follow an easy ‘spin up spin down’ methodology, so I can add new pots and pot types without needing to rebuild everything

It would also be awesome if it could have:

  • A Web interface at https://honeypotdb.com/ that shows collected data, visualisations, dashboards and like graphs and shit
  • Offer a fully functional REST API to get collected honeypot data from at https://honeypotdb.com/api
  • Tie in with a management API to easily manage and deploy honeypots with a 1 request (And maybe a management web interface to match…)
  • Have the ability for people to ‘Donate a pot’, where they can launch their own honeypotDB pot via the API, which will just SSH into a blank CentOS (oof) VM, launch some pots and link it to elasticSearch. In return they could probably get premium API features ;)

HoneyPot Technologies

I want to be able to deploy a range of honeypots, using neat opensource projects such as:

  • Cowrie
  • RDPy
  • HoneyTrap
  • elasticHoney
  • mysql-honeypotd

Loads more at: https://github.com/paralax/awesome-honeypots

HIDS/NIDS

I also want to deploy Wazuh as a HIDS and Suricata as a NIDS on all the honeypots for a bit of intrusion dectection, just in case something weird does happen to a pot. Hey, I can also use the Suricata data for attack trend analysis :)

Suricata will also come in useful when detecting newly released exploits by creating specific suricata rules, rather than a whole Honeypot, but that’s an upcoming project :)

Suricata will also come in useful when detecting newly released exploits by creating specific suricata rules, rather than a whole Honeypot, but that’s an upcoming project :)

To collect honeypot data, I’ll use filebeat sippers to send JSON logs from the honeypots to some Logstash nodes which I’ll feed into an ealsticSearch cluster. This will allow me to easily query the data, and build the API.

Okay, whats next?

Right, so I think I know what I need to do now.

Time to look at how we can deploy a basic cowrie SSH honeypot via Ansible, and automatically setup filebeat etc.

From there, I think I’ll look at adding playbooks to install other honeyPot types too.

Then I’ll move onto the management API/Interface and then the public website and API.