Skip to content

wintermanc3r/honey

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

45 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Holberton School - Honey Pot Project

2017, January 27 - ongoing This repo is for a honeypot project, created with the aim of writing a white paper focusing on unsolicited internet traffic. This project is a joint effort between Holberton School staff, students, and mentors.

Process:

  1. Setup an Amazon AWS instance
  2. Install tshark: sudo apt-get install tshark
  3. Setup an ssh tunneling server, so we only have to filter one IP address, and only have one ssh entry way into the Amazon AWS instance. We used a droplet from Digital Ocean.
  4. Filter out all traffic from our IP address sudo tshark -w log.pcap -s 0 -n -f 'not net <IP from ssh tunnel>'
  5. Record the activity for one day.
  6. Parse through the pcap, organize them by number of IP requests, type of request, or number of requests by country.
  7. Decide on what kind of honey pot to set up, based on the top accessed protocols.
  • TELNET (port 23) - Specifically targeted at Mirai/Hijimbe
    • Cowrie, homegrown honeypot
  • SIP (port 5060 + 5061)
    • Artemesia, Dionisia, homegrown honeypot
  • HTTP + MySQL (port 80 + 3306) - Specifically Wordpress, MySQL
    • Glasopf, homegrown honeypot
  • One other protocol
  1. Compare the pcap with auth.log from that day to determine what is ssh bruteforce and what is not.

To Do

  • -- Tim: Continue analyzing Telnet protocol + Mirai/Hijimbe Botnets and keep the project moving
  • -- Ian C: Write the paper and organize / compile data
  • -- Swati and Ian L-J: Research and deploy SIP honeypot
  • -- Richard: Setup + investigate possible honeypots / protocols to analyze. Currently deploying glastopf
  • -- Danton: Compare authlogs and SSH bruteforce to determine what is a normal ssh bruteforce and what could be anomalous. Simultaneously, decide on a final protocol to analyze.

Installed packages / honeypots:

  • tshark
  • docker
  • cowrie

Links

For a list of resources and commands used, refer to LINKS.md

Authors

For a list of Authors and contributors, refer to AUTHORS