(It should go without saying, but please don’t run this on a system that you care about). The proposed honeypot is a medium interaction system developed using Python and it emulates a SSH (Secure Shell) server. This was accomplished using the process outlined in this Hacker Noon article: “ How I’ve captured all passwords trying to ssh into my server!” It’s one thing to know what users are logging in, and that they’re not successful in doing so, but what if you could also find out what passwords they’re trying? Let’s start by getting some more data, and then we’ll do something with it. Why don’t we add a few more features to make this even more interesting? Which has lead me to this tutorial. This got me thinking – we’re already basically creating an SSH honeypot in the lab. I was recently teaching some of our new SOC analysts the basics of Splunk (every new Hurricane Labs employee goes through the same training course – they just get the in-person variety), and was really impressed with their analysis of the events logged by their AWS instances. I came up with the idea of creating a honeypot and capturing. Dockpot uses HonSSH, which is its turn is based on the work of the Kippo honeypot. A few weeks ago I became curious as to what types of credentials were being attempted on SSH. 13 We looked for commands in the revision history ( uname -a, tftp) Cowrie. When new traffic is coming in, a fresh container is created. 724 IPs run both an SSH and Web honeypot Many honeypots are hosted at well-known cloud providers. AWS even throws a warning telling you to lock this down. By default, this rule allows any IP address to SSH to your EC2 instance. When the container is no longer used, it destroys the container. At a minimum, you want to change the Source IP on the SSH rule. ![]() ![]() I believe this is a much more valuable teaching tool, since it drives home the point that attackers are constantly trying to break into systems on the Internet. Dockpot created a Docker container and uses NAT to send SSH connections to it. You can configure path names (and hence modify names below), login options, prompts, architecture etc. This is the main config file of the honeypot. Instead – you capture the actual log files from your training system and work with them. Overall, there are 4 places for configuration: The Cowrie config file. This is why in my online training class, Getting to Know Splunk: The Hands-On Administration Guide, there are no sample log files that you are asked to work with. Which visualizations can be used to give more insight into attacks performed on SSH honeypots. Whenever I’m teaching I prefer to use real examples when possible as opposed to contrived ones.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |