If you’re aspiring to become a professional in the field of computer security, wish to understand the current threat landscape or simply want to have a play around with some computer security tools then it sounds like you want to set up a Honeypot. If you’re unsure what a honeypot is then Wikipedia defines one as:
“In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, which are then blocked. This is similar to the police baiting a criminal and then conducting undercover surveillance, and finally punishing the criminal.”
In this article, we’re going to be running through the process in which you can set up your own Honeypot using a prebuilt tool referred to as the Modern Honeypot Network (MHN).
Requirements and Assumptions: In regards to this tutorial it is assumed that you already have a medium to a strong understanding of the Ubuntu command line interface and understand its basic functions. You will also be required to have set up a DigitalOcean account (Use this referral link for $10 credit).
Outcome: By the end of this tutorial you should have created a command server with at least one sensor attached to it, all being created by using tools provided by the Modern Honeypot Network.
Stage 1- Creating the Command Server
In this stage, you will be setting up an Ubuntu server on Digital Ocean. At the end of this stage, you should have a fully working server running the Ubuntu operating system and should have received a confirmation email from DigitalOcean. You can achieve this by following the below steps:
Stage 1.1 – Creating a droplet
First, you will need to sign into your DigitalOcean account with the username and password you entered on creation.
Now you will need to set up your droplet, in this instance, we will be using the bare minimum required to run our server. First off you will need to choose the underlying operating system for your command server. Once we have finished we will be using a website GUI front end so the underlying OS is not overly important, however, in this instance we will be using Ubuntu.
As of 10/06/2018 MHN can be run on any of the following operating system versions: Ubuntu 14.04, Ubuntu 16.04, and Centos 6.9. For an up to date list of compatible operating systems check the Git Hub repository.
Next, we will be choosing the specifications of our command server. This server will be taking the information given to it by our sensors and in turn, will not be performing any overly complicated tasks. That being the case it is a good choice to choose the least expensive option in this regard. That being the case in this instance we will choose the ‘$20/mo’ option. This is so that we have at least 2GB of RAM on the command server.
The final option that we will be dealing with on this setup page is the location in which our server is based. It is best to choose a location that is closer to where you will be primarily dealing with the server, however, this choice is up to you. As I work out of the UK I’ll be selecting London.
Finally, you will be presented with several additional options, in regards to this instance we will not be using any of these and we can now simply move onto creating our droplet. To do so select ‘Create’. After which you may need to set up your payment information depending on if you have done so in the past.
After the above has been completed you will be emailed the details for your new server of which you can take forward to the next stage. The above is required due to the necessity of having a command server that our sensors will communicate with.
Stage 2 – Setting up the Command server:
Now we have set up the operating system for our command server we will now need to add the Modern Honeypot Network (MHN) framework. At the end of this, you should have a fully working Honeypot with a working GUI web front end. This can be achieved by following the below steps:
For the remainder of this tutorial, we will be using the command line interface (CLI) on Ubuntu, that being the case we will need a tool we can use to operate this. In this instance, I will be using a tool called Putty (For Windows) , which is a free tool that can be used for an array of tasks.
Once you have downloaded putty from their website you can launch it like any other .exe program.
Stage 2.2 – Accessing your server and installing MHN:
After you have completed the above you will need to enter the IP that you were emailed by DigitalOcean into the section on Putty that asks for ‘Host Name (or IP address)’. After you have done this, select ‘Open’. You will be taken to a CLI of which you will be asked to enter the server’s username and password (These would have also been emailed to you). After this you will be asked to change the server’s password.
You will now have access to your server and in turn its CLI. The next step of which will be to install the needed software to run the Modern Honeypot Network. Once here you will need to enter the following commands in order, dealing with any errors that occur accordingly.
sudo apt-get upgrade sudo apt-get update cd /opt/ apt-get install git -y git clone https://github.com/threatstream/mhn.git cd mhn sudo bash install.sh
Eventually, you will be greeted with a prompt asking for you to answer an array of questions for your Honeypot. These will depend solely on what you want to set them as, however, see the image below for an example of an input.
After the above, the script will continue to configure the Modern Honeypot Network setup and will take a sizeable amount of time. During this process, you will also be asked if you want to integrate the honeypot with Splunk, for simplicity we will select ‘no’ in this instance.
After the installation has taken place you will then be able to visit your server via a web browser. If you point your web browser to the IP address sent to you by DigitalOcean you will be able to access your server’s web GUI.
This stage was required to set up MHN on your main command server and to create the GUI interface you will use day to day.
Stage 3 – Deploying sensors:
In this stage, you should finish the completion of your Modern Honeypot Network setup. After this stage, you should have set up at least one sensor (based on Digital Ocean) that will communicate back to your command server.
As part of this stage we need to create an additional droplet as we did in Stage 1.1 – Creating a droplet. The only difference with this droplet is that they can be created at any location and you can use the ‘$5/mo’ option as these sensors do not require the same amount of RAM as the Command Server.
Stage 3.3 – Running the sensor Script:
Now you have a second working Digital Ocean droplet we can now run a Bash script on it to connect it to your command server. To do this you will need to sign into your command server via your website GUI and go to the ‘Deploy’ section. Once in this section, you will need to select ‘Ubuntu – Snort’. In the ‘Deploy command’ section you will be presented with a script. Copy this script into the CLI for the new droplet and wait for it to be completed. Once completed you can also choose ‘Ubuntu – Glastoph’ and enter the generated script into your CLI.
After you have completed this your Honeypot will now be fully functional and will begin to collect attack data from malicious actors that target the honeypots. You can view this data from the website GUI interface. This stage can be repeated on additional Digital Ocean droplets to create multiple sensors and to increase the attack surface.