A honeypot is a computer software or device that exists only for attack. Yes, that’s the main goal of a honeypot. When you deploy a honeypot the main goal of the system is to be attacked. When a hacker interact with the honeypot, it starts logging the activity of the hacker. What he/she is doing in the system, what file they downloaded, what command they execute that kind of thing. Even with a honeypot you can also capture malware and see the nature of that malware later on a malware analysis tools.
Deploying honeypot has been always a challenging job and also tricky. The Modern Honey Network (MHN) project by Anomaly Inc (formerly know as ThreatStream) make that challenging job easy and interesting. What MHN is done so far it gives us a chance to deploy variety of honeypots automatically. Just copy the script form the MHN server and paste it on your honeypot machine and you are online. The benefit is you will get all of your attack statistics from one central place that is the MHN server, It has a nice graphical interface for viewing the status of the honeypots or sensors.
It is always advisable to deploy a honeypot in a different environment instead of your production and in my choice Amazon is a great place for that. Today we will deploy our MHN server on Amazon EC-2 Ubuntu 14.04 instances.
It might be weird that I’m showing the solution first instead of showing the problem. What I saw that when people face problem in a new deployment, some of them start searching the solution instead reading the full document, some give up and some actually go through the whole process. You might not face the problem, but if you face the problem while installing the MHN server come back to this section and do the tweaks. It works for me and I found the solution on MHN GitHub page. I try to install the MHN server several times and every time I face this error, other wise the installation script is very smooth. Again, you can skip this section now and can continue with the installation section and come back latter if you face the problem.
Traceback (most recent call last): . . . sqlalchemy.exc.ProgrammingError: (pysqlite2.dbapi2.ProgrammingError) You must not use 8-bit bytestrings unless you use a text_factory that can interpret 8-bit bytestrings (like text_factory = str)...............
If your installation ends with that error, then do the following. Go to /opt/mhn/server/mhn/api/ directory. Open models.py file with your favorite editor and add the below code after import string statement.
vim /opt/mhn/server/mhn/api/models.py import sys reload(sys) sys.setdefaultencoding('utf-8')
then find the word ref.text in that file and replace the line with the bellow line.
#Before ref.text = r #After ref.text = r.decode('utf-8')
Save and exit from the file. Start the installation process again from sudo ./install.sh.
Follow the below procedure to install the MHN server. It’s a good practice to update everything and then do the rest:
sudo apt-get update && sudo apt-get upgrade sudo apt-get install git -y cd /opt/ sudo git clone https://github.com/threatstream/mhn.git Cloning into 'mhn'... remote: Counting objects: 6263, done. remote: Total 6263 (delta 0), reused 0 (delta 0), pack-reused 6263 Receiving objects: 100% (6263/6263), 3.46 MiB | 1.14 MiB/s, done. Resolving deltas: 100% (3214/3214), done. Checking connectivity... done.
Yo will find a folder call mhn in your present working directory. Go to that directory and install the server.
cd mhn/ sudo ./install.sh
This will start the installation. It will take some times. Wait until you saw the below message. You need to answer some question. Remember those answer cause you will need them to access the server.
Do you wish to run in Debug mode?: y/n n Superuser email: your@emailaddress Superuser password: Superuser password: (again): Server base url ["http://XXX.XXX.XXX.XXX"]: http://XXX.XXX.XXX.XXX Honeymap url ["http://XXX.XXX.XXX.XXX:3000"]: http://XXX.XXX.XXX.XXX:3000 Mail server address ["localhost"]: Mail server port : Use TLS for email?: y/n n Use SSL for email?: y/n n Mail server username [""]: Mail server password [""]: Mail default sender [""]: Path for log file ["/var/log/mhn/mhn.log"]:
After pressing enter you will see output like below:
Initializing database, please be patient. This can take several minutes + python initdatabase.py Imported 500 rules so far... Imported 1000 rules so far... .....
In my experience this is the place the script throws the error message which i describe earlier. After importing some rules it throws the error. If you face the error got to the Solution section of this article. For clean installation you, will see a message like below. It will ask you to integrate splunk and ELK. For simplicity I choose no.
+ echo -n 'Would you like to integrate with Splunk? (y/n) ' Would you like to integrate with Splunk? (y/n) + read SPLUNK n . . Would you like to install ELK? (y/n) + read ELK n . . Completed Installation of all MHN packages
That’s it. The installation of MHN server is done.
To make sure everything is in order issue these 3 commands.
sudo /etc/init.d/nginx status * nginx is running sudo /etc/init.d/supervisor status is running sudo supervisorctl status geoloc RUNNING pid 15484, uptime 0:39:31 honeymap RUNNING pid 15485, uptime 0:39:31 hpfeeds-broker RUNNING pid 28227, uptime 0:45:04 mhn-celery-beat RUNNING pid 17098, uptime 0:08:42 mhn-celery-worker RUNNING pid 17166, uptime 0:01:37 mhn-collector RUNNING pid 17100, uptime 0:08:42 mhn-uwsgi RUNNING pid 17101, uptime 0:08:42 mnemosyne RUNNING pid 13669, uptime 0:42:24
As you can see that the nginx and supervisor status is running and all other process used by MHN server is also RUNNING means the server is working. By default, the MHN server sends anonymous data of attacks to ThreatStream. If you would like to disable it, run the following command:
cd /opt/mhn/scripts sudo ./disable_collector.sh mhn-collector: stopped mhn-collector: updated process group
mhn-collector should be STOPPED now.
MHN server has a nice web interface. To see the interface or login to the server, open a web browser and provide the Server base url address you provide during the installation. (Click on the images to see a better version of that image)
Use your Superuser email and Superuser password for login. After login you will see a dashboard similar to the below image.
There is no data cause we have not installed any sensor yet. In my next post I will show you how to install some honeypot (sensors) where the real fun begin. Till then enjoy the server.
Thanks for reading the post. If you enjoyed the post, please share it with your network and let me know your thoughts in the comments.
About the Author: Imtiaz is working in a financial organization in Bangladesh and having experience in system, network and security administration. Feel free to contact with him on LinkedIn or Twitter.