Welcome back my fellow ethical hackers. Remember, the contents in this post is for educational purposes and should only be used for ethical reasons, so with that caveat, let’s get to work.
We will be using Digital Ocean and Vulture to deploy the honeypots and the project we will be using is from https://github.com/threatstream/mhn.
So, first we will need a server, on Digital Ocean we are going for Ubuntu 16.04 4GB RAM, 4 core, 80GB disc virtual image.
We just need to name it now. Let’s go with mhn server.
So that droplet has been created, we can now SSH into it. So the first thing we need to do is create a non-root user, if you try to install as root, it can screw up some permissions. So on the command line type.
adduser dale
Or whatever name you are comfortable with. Then add a password. You can fill in the rest of the details if you like, but we didn’t bother. Next we will open /sudousers.temp file and give dale some permissions, basically root permissions.
The idea in the image above is just to copy all the permissions a root user can have for dale. CNTRL X, Y and enter will save that and exit. Now we just su dale and we are logged in as dale. Fantastico.
Now that we have that set up, we can now start the installation of the first HoneyPot. So first we need to clone the project now from Github to our Ubuntu server and set that up.
git clone https://github.com/threatstream/mhn.git
Next we will make a folder called mhn on our server.
mkdir mhn
And go into the folder.
cd mhn
Then install in the directory.
sudo ./install.sh
We are almost finished the installation when we get to here. There are a few details you can optionally fill in, just make sure you use a legitimate email address for that question and remember the password you used, we will need those later.
Towards the end it will ask if you want to install Splunk or ELK, if you feel that you’d like to install those features also, have at it hoss. But for this post we won’t be doing that.
That’s it, the installation should now be complete. So let’s see if it’s working. Let’s grab the IP of the server.
ifconfig
And we just need to open that IP in a web browser. What we get is a login page from the sever.
We will need to log in with the same email and password that we set up previously. Et Voila we are logged into the server.
We can see no attacks yet, which is nice, but we have only spawned the server, give it time 😉
Next we need to deploy the honeypot. In the top menu, choose Deploy and next we just need to name our honeypot and any scripts that we may like to add.
For the scripts option, we need to choose from the dropdown menu anything we’d like to use. Let’s choose Snort for this post.
As we can see it populates everything for us. Snort is an Intrusion Detection System that is going to monitor our server.
Next we need to head back to Digital Ocean and create a new droplet, add the SSH keys and give it a name.
To connect to the Snort server from our Ubuntu server we just need to use the command that was given to us when we chose Snort earlier.
Just copy the command and run it on the Ubuntu command line. Next, in the top menu of the honeypot server, choose Sensors>View Sensors to see if we are connected.
We can see there has already been 2 attacks, interesting 🙂 So let’s click on the number 2.
So we have had 2 random attacks, we can grab the IP and inspect that further if we wish. Also we can find out what type of attacks they are. In the menu again choose the Payloads tab.
It looks like someone is trying to download blocks or something, and it is advising we block the connection. It’s just a honeypot, so let them work away. Finally, let’s go to the Maps option in the menu.
Here we can see the attacks happening in real time and from their location. And we are done!!
Thank you so much for reading, please pass it on to anyone who is interested and don’t forget to subscribe to our blog. Ciao for now 😉
QuBits 2019-09-02
Linux Security Blog 