In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, which are then blocked. This is similar to the police baiting a criminal and then conducting undercover surveillance, and finally punishing the criminal.
By the end of this tutorial you should have created a command server with at least one sensor attached to it, all being created by using tools provided by the Modern Honeypot Network
Step 1- Digitalocean and an Ubuntu server.
In this stage you will be setting up an Ubuntu server on Digitalocean. At the end of this stage you should have a fully working server running the Ubuntu operating system and should have received a confirmation email from DigitalOcean. You can achieve this by following the below steps:
STEP 1.1 – Creating a droplet
Select Ubuntu under ‘Choose an image’
First you will need to sign into your DigitalOcean account with the username and password you entered on creation.
Now you will need to set up your droplet, in this instance we will be using the bare minimum required to run our server. First off you will need to choose the underlying operating system for your command server. Once we have finished we will be using a website GUI front end so the underlying OS is not overly important, however in this instance we will be using Ubuntu (Make sure this is the version specified in the image to the right) .
Select the ‘$5/mo’ option
Next we will be choosing the specifications of our command server. This server will be taking the information given to it by our sensors and in turn will not be performing any overly complicated tasks. That being the case it is a good choice to choose the least expensive option in this regard. That being the case in this instance we will choose the ‘$5/mo’ option.
Select a location closest to you.
The final option that we will be dealing with on this setup page is the location in which our server is based. It is best to choose a location that is closer to where you will be primarily dealing with the server however this choice is up to you. As HackingInsider works out of the UK we will be selecting London.
Finally you will be presented with several additional options, in regards to this instance we will not be using any of these and we can now simply move onto creating our droplet. To do so select ‘Create’. After which you may need to set up your payment information depending on if you have done so in the past.
After the above has been completed you will be emailed the details for your new server of which you can take forward to the next stage. The above is required due to the necessity of having a command sever that our AWS sensors will communicate with. On average the above process should take around 5 to 10 minutes to complete.
Step 2 – Setting up the control server:
Now we have set up the backend for our server we will now need to add the Modern Honeypot Network (MHN) framework to our server. At the end of this you should have a fully working Honeypot with a working GUI web front end. This can be achieved by following the below steps:
Step 2.1 – Installing a command line interface tool:
The Putty GUI
For the remainder of this tutorial we will be using the command line interface (CLI) on Ubuntu, that being the case we will need a tool we can use to operate this. In this instance I will be using a tool called Putty, which is a free tool that can be used for an array of tasks.
Once you have downloaded putty off their website you can launch it like any other .exe program.
Step 2.2 – Accessing your server and installing MHN:
After you have completed the above you will need to enter the IP that you were emailed by DigitalOcean into the section on Putty that asks for ‘Host Name (or IP address)’. After you have done this, select ‘Open’. You will be taken to a CLI of which you will be asked to enter the server’s username and password (These would have also been emailed to you). After so you will be asked to change the server’s password.
You will now have access to your server and in turn its CLI. The next step of which will be to install the needed software to run the Modern Honeypot Network. Once here you will need to enter the following commands in order, dealing with any errors that occur accordingly.
sudo apt-get upgrade
sudo apt-get update
apt-get install git -y
git clone https://github.com/threatstream/mhn.git
sudo bash install.sh
Eventually you will be greeted with a prompt asking for you to enter an array of questions for your Honeypot. These will depend solely on what you want to set them as, however see the image below for an example of an input.
After the above the script will continue to configure the Modern Honeypot Network setup and will take a sizable amount of time. During this process you will also be asked if you want to integrate the honeypot with Splunk, for simplicity we will select ‘no’ in this instance.
Web interface for MHN
After the installation has taken place you will then be able to visit your server via a web browser. If you point your webbrowser to the IP address sent to you by DigitalOcean you will be able to access your server’s web GUI.
This stage was required to set up MHN on your main command server and to create the GUI interface you will use day to day. This stage will take approximately 30 minutes due to the installation time.
Step 3 – Deploying sensors:
In this stage you should finish the completion of your Modern Honeypot Network setup. After this stage you should have set up at least one sensor (based off AWS) that will communicate back to your command server. You can achieve this by following the below steps:
Step 3.1 – Set up an AWS instance:
After creating your AWS account you will be directed to a screen detailing an array of Amazon Web Services, on this screen you are looking for the one labelled EC2. After which you will need to locate the button labelled ‘launch instance’.
Choose Ubuntu as your AMI
When launching this instance you will need to follow very similar steps to previously when working with Digitalocean. First you will need to select the operating system you wish to be installed on the server, in this case we will be using Ubuntu.
Add a security group to allow all traffic from all IPs
Next you will continue through the setup process selecting the next button as appropriate, this being until you reach the ‘Step 6: Configure Security Group’ page. On this page you will create a security group that allows for traffic to access the server from any IP address.
Create a keypair
After you have done this you can review your setup and then finally click ‘Launch’. Once you have selected this you will be asked to make a ‘Key pair’. Once you have created your key pair you will need to download it.
After you have completed the above stages you will have set up an AWS server and can view it by selecting the ‘instances’ button.
Step 3.2 – Accessing your instance via Putty:
Load your .PEM key and save a .PPK key
As Putty does not accept the default .pem key files that AWS creates we will need to convert it. You can do this by using the tool puttygen.exe of which should have been downloaded along with putty. Once opened you will need to select the ‘Load’ button and find your .pem key. You will then need to select ‘Save private key’ and save it as the same name as your key was on AWS.
Load your .PPK key
After you have done this you will need to open up Putty again and go to ‘Category’ > ‘Connection’ > ‘SSH’ > ‘Auth’. Once here you will need to ‘Browse’ to your newly created key file.
ubuntu@<Your server’s Public DNS>
Once you have done this you will need to SSH into your Ubuntu server, do this by following the image below.
After you have SSHed into the server you will once again be confronted with a CLI of which should allow you to access your Ubuntu instance.
Step 3.3 – Running the sensor Script:
Select ‘Ubuntu – Snort’ in the ‘Select Script’ section
Now you have a working AWS instance we can now run a Bash script on it to connect it to your command server. To do this you will need to sign into your command server via your website GUI and go to the ‘Deploy’ section. Once in this section you will need to select ‘Ubuntu – Snort’. In the ‘Deploy command’ section you will be presented with a script. Copy this script into your AWS CLI and wait for it to be completed. Once completed you can also choose ‘Kippo as vulnerable juniper netscreen’ and enter that into your CLI.
After you have completed this you’r Honeypot will now be fully functional and will begin to collect attack data from those who attack it. You can view this data from the website GUI interface.