Have you ever wanted to control a vast medium small network of Honeypots but only had an hour and about $40 a month to spend on your project? So did I! So with the help of Digital Ocean and Anomali‘s Modern Honey Network we can now do it!
For a basic distributed Cowrie network you will need:
1 – $20 a month Digital Ocean Droplet for the MHN Server.
4 – $5 a month Digital Ocean Droplets for the Cowrie honeypots.
Configuring The MHN Server:
Setting up the server is eas easy as running these commands on your controller droplet and and waiting 10 minutes:
sudo apt update sudo apt upgrade -y cd /opt/ sudo git clone https://github.com/threatstream/mhn.git cd mhn/ sudo ./install.sh
After it installs everything it needs it will ask you the following questions:
Do you wish to run in Debug mode?: y/n n Superuser email: [email protected] Superuser password: Superuser password: (again): Server base url ["http://honeypot.jgamblin.com"]: Honeymap url [":3000"]: http://honeypot.jgamblin.com:3000 Mail server address ["localhost"]: Mail server port [25]: Use TLS for email?: y/n n Use SSL for email?: y/n n Mail server username [""]: Mail server password [""]: Mail default sender [""]: Path for log file ["/var/log/mhn/mhn.log"]: Would you like to integrate with Splunk? (y/n)n Would you like to install ELK? (y/n)n
Once that is done you now have a working MHN server:
Configuring The HoneyPots:
At this time MHN supports 17 honeypots for easy deployment:
I have used cowrie in the past and like it a lot so decided to use it for this blog post. You can deploy cowrie honeypots to your MHN server with the following commands:
sudo apt update sudo apt upgrade -y sudo apt install python -y wget "https://gist.githubusercontent.com/jgamblin/e2c5432fa4518876c0536b625f90f8da/raw/67f792b549198a9bff15fd863e4e0cca6ae50b37/cowrie.sh" -O deploy.sh && sudo bash deploy.sh http://yourmhnserver yourcode #An update broke the deployment script and there is a proposed fix. #I copied the proposed fix to the gist used here. #wget "http://yourmhnserver/api/script/?text=true&script_id=14" -O deploy.sh && sudo bash deploy.sh http://honeypot.jgamblin.com yourcode wget
This scripts moves your *real* ssh port to 2222 and starts the honeypot on port 22 (SSH) and 23 (Telnet).
Once the script is complete they show up in your MHN server:
Looking at the Data:
Within minutes you will have data to look at. My honeypots were up for under 30 minutes and I had a lot of data:
Next Steps?
There are 16 other types of honeypots you can run. WordPot is an amazing WordPress Honeypot and Dionaea is a great way to capture your own malware samples. I will likely run both and a few more as I keep playing with this project.
Have any questions? Reach out to me on twitter @jgamblin.
