Skip to content
/ siberkuvvet-honeypot Public
forked from 0xnur/siberkuvvet-honeypot

This honeypot listens all tcp ports with using IPTABLES rules and detect protocol with Python. Then it redirect without intercepting traffic to protocol related (ssh, telnet, ftp, web) honeypot.

0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

simhaonline/siberkuvvet-honeypot

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit

honeypots

honeypots

 
 

inc

inc

 
 

logs

logs

 
 

other_files

other_files

 
 

README.md

README.md

 
 

apache2.conf

apache2.conf

 
 

hihi.log

hihi.log

 
 

install.sh

install.sh

 
 

main.py

main.py

 
 

service.log

service.log

 
 

Repository files navigation

Türkçe açıklama için https://siberkuvvet.com/p/siberkuvvet-balkupu

siberkuvvet honeypot with protocol detection

This repo contains experimental codes for siberkuvvet honeypots.

It run as a services. Get all request from all ports with iptables rules. Create a services for each requests. Do protocol detection from first request bytes. Redirect traffic to running honeypots.

For production with high load some other services must be implemented such as haproxy, kubernates, dockers, librenms, kibana, elasticsearch, etc.

Default honeypots: FTP honeypot : https://github.com/alexbredo/honeypot-ftp SSH honeypot : https://github.com/idleninja/ssh_honeypot-ish/blob/master/simplesshserver_creds.py Telnet honeypot : https://github.com/mbologna/telnetd_honeypot/blob/master/telnetd.py HTTP honeypot : Apache2 with modsecurity

#Install Do not install this repo on production systems.

bash install.sh

Useful Commands

iptables and network commands

clear all nat rules and redirect all port to local 4141 ports (interface name can be different)

iptables -F -t nat
net.ipv4.ip_forward = 1 
sysctl -w net.ipv4.conf.eth0.route_localnet=1
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1:65530 -j DNAT --to-destination 127.0.0.1:4141

apache2 HTTP honeypot

apt-get install apache2
apt-get install libapache2-mod-security2 
echo "" > /var/www/html/index.html

add this to /etc/apache2/sites-enabled/000-default.conf

<Directory /var/www/html> Options Indexes FollowSymLinks MultiViews AllowOverride All Require all granted

add this to /etc/apache2/apache2.conf to log post method details:

RewriteEngine on RewriteRule ^(.*)$ index.html [QSA,L] SecRuleEngine On SecAuditEngine on

#Setup logging in a dedicated file. SecAuditLog /var/log/apache2/honeypot.log #Allow it to access requests body. SecRequestBodyAccess on SecAuditLogParts ABCZ #Setup default action. SecDefaultAction "nolog,noauditlog,allow,phase:2" #Define the rule that will log the content of POST requests. SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2,id:123" SecRule REQUEST_URI ".*" "auditlog

DEBUG

show network

watch -n 1 "netstat -antp | grep -v tcp6 | egrep ':4141|0.0.0.0:2222|0.0.0.0:80|0.0.0.0:21|0.0.0.0:23'"

About

This honeypot listens all tcp ports with using IPTABLES rules and detect protocol with Python. Then it redirect without intercepting traffic to protocol related (ssh, telnet, ftp, web) honeypot.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 87.2%
  • Shell 12.8%