Thursday 30 May 2019

Honeypot deployment on Linux - OpenCanary

What’s a honeypot what what it’s purpose ?

It’s basically a computer or Virtual Machine emulating some services (ex: ssh, ftp, telnet, netbios, https, samba server etc) and accepting, logging and sending warnings of all incoming connections. You can use it as intrusion detection or early warning system but it also might go a little further and allow one to get inside the intruders ”head” since you get to log every interaction.

How and where should it be placed?

Let’s start with “where”. I usually place them in specific areas to get an idea how/or if the network is tested from outside or inside. So I have about three major areas; behind firewalls, in “sensible zones” where only pre-defined machines should have access and in the “public zone” such as administrative/general network.

Placing a honeypot behind firewalls/”sensible zones” will ensure that the firewall is doing it’s and if you get a hit that means you have a miss-configurations or a serious intrusion. Honeypots placed in the “public zone” will give you a glimpse if you have some outsider skimming your network, an inside threat or just a very network-enthusiastic co-worker… to put it mildly.

How to place it? This answer can be split in two parts, hardware and timeline.
  • Since the minimum hardware requirements are very low Virtual Machines are the best option. 1 vCPU and 512 RAM will be enough for each instance.
  • Timeline; If you have the resources (basically mature security team with proper tools) then all of them at the same time. If not, deploying the honeypots from the most to the least secure zones in the network is recommended. In the most secure zone you should have no events at all where as in the least you might get a couple, his approach will give some time to understand eventual breaches and mature responses. (opposite to having lots of hits all across the network and spreading resources in order to understand what’s happening)

Which software and how to install it?

A very simple honeypot is opencanary. It’s freeware, it emulates windows/linux server, as well as mysqlServer, ftp, ssh, I can generate events to syslog files, log file and via email. Usually I ran it on an Ubuntu Server with 1vCpu and 512ram.

  • Install Ubuntu server version and make all the security updates
  • Install necessary libs and the honeypot
$ sudo apt-get install python-dev python-pip python-virtualenv
$ virtualenv env/
$ . env/bin/activate
$ pip install opencanary
$ sudo apt-get install -y build-essential libssl-dev libffi-dev python-dev
$ pip install rdpy
  • Finally run it for the first time (default configuration)
. env/bin/activate
$ opencanaryd --copyconfig
$ opencanaryd --start

Edit the file /.opencanary.confand set the this line "http.enabled":true and restart the service with the command: opencanaryd --restart This will enable the http server. Now point your browser to http://your-ip-addr and check your brand new Synology RackStation!

Try your luck by logging In with some commonly used user/passwords. Now check some opencanary logs in the file /var/tmp/opencanary.log


Your webserver fake page


OpenCanary Log file


Pretty interesting humm? Timestamp, user/pass tries, ip addresses…

Edit the configuration!


Now let’s create some services so the honeypot gets really sweet. Edit the configuration file /.opencanary.conf


{
"device.node_id": "HoneyPot-ServerName-Good-idea-to-change-it",
"git.enabled": false,
"git.port" : 9418,
"ftp.enabled": true,
"ftp.port": 21,
"ftp.banner": "FTP server ready",
"http.banner": "Apache/2.2.22 (Ubuntu)",
"http.enabled": true,
"http.port": 80,
"http.skin": "nasLogin",
"http.skin.list": [
{
"desc": "Plain HTML Login",
"name": "basicLogin"
},
{
"desc": "Synology NAS Login",
"name": "nasLogin"
}
],
"httpproxy.enabled" : false,
"httpproxy.port": 8080,
"httpproxy.skin": "squid",
"httproxy.skin.list": [
{
"desc": "Squid",
"name": "squid"
},
{
"desc": "Microsoft ISA Server Web Proxy",
"name": "ms-isa"
}
],
"logger": {
"class": "PyLogger",
"kwargs": {
"formatters": {
"plain": {
"format": "%(message)s"
}
},
"handlers": {
"console": {
"class": "logging.StreamHandler",
"stream": "ext://sys.stdout"
},
"file": {
"class": "logging.FileHandler",
"filename": "/var/tmp/opencanary.log"
}
}
}
},
"portscan.enabled": false,
"portscan.logfile":"/var/log/kern.log",
"portscan.synrate": 5,
"portscan.nmaposrate": 5,
"portscan.lorate": 3,
"smb.auditfile": "/var/log/samba-audit.log",
"smb.enabled": false,
"mysql.enabled": false,
"mysql.port": 3306,
"mysql.banner": "5.5.43-0ubuntu0.14.04.1",
"ssh.enabled": true,
"ssh.port": 22,
"ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
"redis.enabled": false,
"redis.port": 6379,
"rdp.enabled": false,
"rdp.port": 3389,
"sip.enabled": false,
"sip.port": 5060,
"snmp.enabled": false,
"snmp.port": 161,
"ntp.enabled": false,
"ntp.port": "123",
"tftp.enabled": false,
"tftp.port": 69,
"tcpbanner.maxnum":10,
"tcpbanner.enabled": false,
"tcpbanner_1.enabled": false,
"tcpbanner_1.port": 8001,
"tcpbanner_1.datareceivedbanner": "",
"tcpbanner_1.initbanner": "",
"tcpbanner_1.alertstring.enabled": false,
"tcpbanner_1.alertstring": "",
"tcpbanner_1.keep_alive.enabled": false,
"tcpbanner_1.keep_alive_secret": "",
"tcpbanner_1.keep_alive_probes": 11,
"tcpbanner_1.keep_alive_interval":300,
"tcpbanner_1.keep_alive_idle": 300,
"telnet.enabled": true,
"telnet.port": "23",
"telnet.banner": "",
"telnet.honeycreds": [
{
"username": "admin",
"password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA"
},
{
"username": "admin",
"password": "admin1"
}
],
"mssql.enabled": false,
"mssql.version": "2012",
"mssql.port":1433,
"vnc.enabled": false,
"vnc.port":5000
}

Read more »
Posted by at 2 comments:
Labels: , , , ,
Subscribe to: Posts (Atom)