After Johannes did his Tech Tuesday presentation last week on setting up Dshield honeypots, I thought I'd walk you through how I setup my honeypots. I like to combine the Dshield honeypot with Didier Stevens' tcp-honeypot so I can capture more suspicious traffic. Today, I'll walk you through my setup using a VM hosted by Digital Ocean, though the steps would work for pretty much any cloud provider. I'm using Digital Ocean because you can set up a simple VM that is more than adequate as a honeypot for $5/mo. So, let's get to it. First off, I'm going to create a new droplet (you may have to create a new project first). It is pretty straight forward.
Now, from wherever you intend to administer the VM from,
So, we're now up-to-date on patches. Personally, there are a few other things that I add now to help me administer the honeypot, like installing Then you can run I've become a big fan of Didier Stevens' tcp-honeypot-3.py (he's going to rename it when he officially releases it sometime soon-ish, because it can also do UDP), but I'm using the 0.1.0 version from Feb 2020. He appears not to have checked into his github beta repo, so if you want to play with the version I'm using, I guess you could contact me or just wait for Didier's official release whenever that happens. I've actually made 2 minor modifications to the 0.1.0 version, the first is that I make it log to I've also created a So, now I have both the Dshield honeypot on tcp-honeypot on the system, but the tcp-honeypot isn't actually capturing anything. The problem is, the Dshield honeypot is controlling the With the
Now, let's see what all is listening on my honeypot, I'll quickly run
I hope you found this useful, if you have questions or suggestions, feel free to comment here or e-mail me. --------------- |
Jim 423 Posts ISC Handler Jul 2nd 2020 |
Thread locked Subscribe |
Jul 2nd 2020 2 years ago |
Hi Jim,
thanks for the great article. Just a small thing to ease your pain with the config of sshd: The man page of sshd_config says about PermitRootLogin: "If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive authentication are disabled for root." Thus, no need to use the confusing "without-password" anymore :) Cheers, Dimitri |
dimir 1 Posts |
Quote |
Jul 2nd 2020 2 years ago |
Hey Jim,
pretty nice write up. I've started with my first honeypot project in 2014 with a hosted standard Ubuntu VM with dionea and some personal "tweeks" and "active response". After some years the old setup was a bit of outdated and I reached out for an alternative. So I stumbled about T-Pot (https://github.com/dtag-dev-sec/tpotce) with a lot of different specialized honeypots and one generic covering a lot of ports. T-Pot was mentioned in a diary some month ago too, regarding ssh reporting with T-Pot by Tom Webb (https://isc.sans.edu/forums/diary/TPOTs+Cowrie+to+ISC+Logs/25976). Until this diary I grabbed the cowrie logs, parsed it and reported it to dshield, now it does it by itself. TNX to Tom for the hint. Now to the point of your diary "to get more data". This T-Pot instance at my place is monitored with Security Onion (because it is running anyway), saving FPC's of all honypot traffic. This could be done with a simple tcpdump service on the T-Pot standard ubuntu setup too. Then at an hourly base a script goes through the FPC of the previous period, extracts the "firewall logs" and "404 Pages" and reports this to dshield. It's just another approach, maybe with different goals. With the FPC's, if needed, I can differentiate a bit between bot or human behaviour. Regards, Ron |
Ron 17 Posts |
Quote |
Jul 2nd 2020 2 years ago |
Hi Ron,
I have a similar setup - running T-Pot and reporting Cowrie/SSH logins as per Tom's article. I'm also running Security Onion, although I'm new to it. Are you prepared to share your script to extract the "firewall logs" and "404 Pages" on SO to report it to DShield? Thanks. Regards, Willie |
Willie 2 Posts |
Quote |
Jul 3rd 2020 2 years ago |
Hi Willie,
sure, just give me a bit of time to redact personal information. The script in fact does a bit more than only extract these logs. stay tuned, Ron |
Ron 17 Posts |
Quote |
Jul 6th 2020 1 year ago |
Hi Willie,
sorry for the delay, just had a little dispute with my webserver. One can find the "firewall" extraction script here: http://data.h2392901.stratoserver.net/t-pot-analyzer.pl.txt It was a quick'n'dirty hack some time ago, but it does the job. So you may have to scroll down a bit to insert your IDs and keys. It depends on some wireshark/tshark tools, so that's required. As you can see, it may do a bit more analytics, including logging to a DB. For the firewall reports it is called via cron by "t-pot-analyzer.pl hourdummy -h". Bad thing: Although I see I'm reporting to the 404 Project, I'm unfortunately unable to locate how I tricked some system a time ago, managing this ![]() If anyone is inspired or may improve this, feel free to do so. There is no copyright, it was just a working POC. Regards, Ron |
Ron 17 Posts |
Quote |
Jul 7th 2020 1 year ago |
Hi Ron,
That is awesome - thank you very much for sharing!! Regards, Willie |
Willie 2 Posts |
Quote |
Jul 8th 2020 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!