Friday, 8 May 2015
0 comments

Dockerpot A Docker Based Honeypot


Dockerpot A Docker Based Honeypot

What is Docker:
Docker is an open source project that automates the deployment of applications inside Linux Containers, and provides the capability to package an application with its runtime dependencies into a container.

What is Honeypot read here

For a better summary visit 
http://www.itinsight.hu/blog/posts/2015-05-04-creating-honeypots-using-docker.html

Installation 

Install the necessary software

$ sudo apt-get update
$ sudo apt-get install docker.io socat xinetd auditd
$ # for installing nsenter
$ docker run --rm -v /usr/local/bin:/target jpetazzo/nsenter
Install the honeypot scripts

Copy honeypot to /usr/bin/honeypot and honeypot.clean to /usr/bin/honeypot.clean and make them executable.

You may have to customize the ports in the iptables rules, the memory limit of the container and the network quota if you want to run anything other than an SSH honeypot on port 22.

Configure crond, xinetd and auditd

crond

Add the following line to /etc/crontab. This runs the cleanup script to check for old containers every 5 minutes.

*/5 * * * * /usr/honeypot/honeypot.clean

xinetd

Create the following service file in /etc/xinetd.d/honeypot and add the line honeypot 22/tcp to /etc/services to keep xinetd happy.

# Container launcher for an SSH honeypot
service honeypot
{
        disable         = no
        instances       = UNLIMITED
        server          = /usr/bin/honeypot
        socket_type     = stream
        protocol        = tcp
        port            = 22
        user            = root
        wait            = no
        log_type        = SYSLOG authpriv info
        log_on_success  = HOST PID
        log_on_failure  = HOST
}

auditd

Enable logging the execve systemcall in auditd by appending the following lines to /etc/audit/audit.rules.

-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve

Create a base image for the honeypot

Create and configure a base image for the honeypot. The container will be run using the command /sbin/init so place your initialization script there or configure an init system of your choice. Make sure to commit the image as "honeypot:latest".

You should also create an account named user and give it a weak password like 123456 to let brute-force attackers crack your host. The ip address of the attacker's host is passed to the container in the environment variable "REMOTE_HOST". For logging you might want to additionally configure an rsyslog instance to forward logs to the host machine at 172.17.42.1.

Download

0 comments:

Post a Comment

 
Toggle Footer
Top