手把手搭建开源蜜罐系统MHN

cd opt

curl -O https://bootstrap.pypa.io/get-pip.py

pip install pyOpenSSL ndg-httpsclient pyasn1

apt-get install git

git clone https://github.com/threatstream/mhn

cd mhn

./install.sh

进入配置

• echo ’ MHN Configuration’

  MHN Configuration

• echo ===========================================================

===========================================================

• python generateconfig.py

Do you wish to run in Debug mode?: y/n y

Superuser email: [email protected]

Superuser password: admin@2018

Superuser password: (again):

Server base url [“http://95.179.164.233“]:

两个ssl选no

Use TLS for email?: y/n n

Use SSL for email?: y/n n

其他的默认按下去enter就可以了

询问是否集合splunk

选择是

输入host 127.0.0.1

端口10086

• echo -n ‘Would you like to integrate with Splunk? (y/n) ’

Would you like to integrate with Splunk? (y/n) + read SPLUNK

y

• ‘[’ y == y -o y == Y ‘]’

• echo -n ‘Splunk Forwarder Host: ’

Splunk Forwarder Host: + read SPLUNK_HOST

127.0.0.1

• echo -n ‘Splunk Forwarder Port: ’

Splunk Forwarder Port: + read SPLUNK_PORT

10086

询问是否安装elk

• echo -n ‘Would you like to install ELK? (y/n) ’

Would you like to install ELK? (y/n) + read ELK

选择yes

（我的磁盘是50G，内存2G）

如果出现

./install_elk.sh: line 11: add-apt-repository: command not found

apt-get install software-properties-common

Cd scripts

./install_elk.sh

root@vultr:/opt/mhn/scripts# ./install_elk.sh

中间如果出现选择安装jdk，选择两个yes

最后查看状态

root@vultr:/opt/mhn/scripts# supervisorctl status

geoloc RUNNING pid 26304, uptime 0:15:13

honeymap RUNNING pid 26306, uptime 0:15:13

hpfeeds-broker RUNNING pid 7453, uptime 0:17:36

hpfeeds-logger-json RUNNING pid 28239, uptime 0:04:40

hpfeeds-logger-splunk RUNNING pid 28168, uptime 0:06:12

kibana RUNNING pid 29410, uptime 0:00:15

logstash RUNNING pid 29411, uptime 0:00:15

mhn-celery-beat RUNNING pid 27855, uptime 0:07:33

mhn-celery-worker FATAL Exited too quickly (process log may have details)

mhn-collector RUNNING pid 27857, uptime 0:07:33

mhn-uwsgi RUNNING pid 27859, uptime 0:07:33

mnemosyne RUNNING pid 25324, uptime 0:15:44

会发现，mhn-celery-worker 未运行c成功，查看日志

cd /var/log/mhn/

cat mhn-celery-worker.err

最后3行显示是权限问题

File “/usr/lib/python2.7/logging/init.py”, line 928, in _open

stream = open(self.baseFilename, self.mode) 

IOError: [Errno 13] Permission denied: ‘/var/log/mhn/mhn.log’

赋予权限

chmod 777 -R /var/log/mhn/mhn.log

重启服务

supervisorctl restart all

再次查看状态，全部启动

root@vultr:/var/log/mhn# supervisorctl status

geoloc RUNNING pid 29522, uptime 0:00:32

honeymap RUNNING pid 29514, uptime 0:00:34

hpfeeds-broker RUNNING pid 29534, uptime 0:00:31

hpfeeds-logger-json RUNNING pid 29523, uptime 0:00:32

hpfeeds-logger-splunk RUNNING pid 29510, uptime 0:00:35

kibana RUNNING pid 29511, uptime 0:00:35

logstash RUNNING pid 29479, uptime 0:00:36

mhn-celery-beat RUNNING pid 29480, uptime 0:00:36

mhn-celery-worker RUNNING pid 29528, uptime 0:00:32

mhn-collector RUNNING pid 29529, uptime 0:00:31

mhn-uwsgi RUNNING pid 29527, uptime 0:00:32

mnemosyne RUNNING pid 29517, uptime 0:00:33

访问，没有任何流量

http://95.179.164.233/ui/manage-deploy/?script_id=5

/ C 0 95.179.164. 233i’ui/claslnhoarcl/
book Imported
MHN Server Map
Deploy
Attacks
Payloads
Rules
Sensors
Charts
Attack Stats
Settings Log Out
Attacks in the last 24 hours:
TOP 5 Attacker IPs:
TOP 5 Attacked ports:
TOP 5 Honey Pots:

Nmap查看端口

rootgtocalhost
. nmap 95. 179. 164. 233
Starting Nmap 7. 70 (
nmap. org ) at 2018-07-05 22:54 EDT
https
Nmap scan report for 95. 179. 164. 233. vultr. com (95. 179. 164. 233)
Host is up (0. 19s latency).
Not shown:
PORT
22/tcp
42/tcp
80/ tcp
44ä/tcp
1068/tcp
3000/ tcp
4444/tcp
8089/tcp
8181/tcp
10000/ tcp
Nmap done:
990 closed ports
STATE
open
filtered
open
filtered
filtered
open
filtered
open
open
open
SERVICE
s sh
nameserver
http
microsoft-ds
instl bootc
ppp
krbä24
unknown
intermapper
snet-sensor-mgmt
address (l host up) scanned in 14. 38 seconds
接下来，开始安装各种蜜罐

左上角deploy，首先选择snort

_ C 95. 179. 164. d=ti
book Imported
MHN Server Map
Deploy
Attacks
Payloads
Rules
Sensors
Charts
Settings Log Out
Select Script
Ubuntu - Snort
Deploy Command
wget “http://95. 179. 164. 233/api/script/?text=true&script_id=6”
wdaNBQwx
Deploy Script
-0 deploy. sh sudo bash deploy. sh http://95. 179. 164. 233
Name
Ubuntu
- Snort
粘贴commond，安装

成功后，查看检测效果

MHN Server
Date
Map
Deploy
Attacks
Payloads
Rules
Sensors
Honeypot
Charts
Attacks Report
Settings
Honeypot
snort
snort
snort
snort
Log Out
Search Filters
Sensor
2
3
4
Date
MM-DD-YYYY
src IP
184.105.139.97
5.188.86.29
5.188.86.29
122.226.181.167
port
445
Sensor
vultr.guest
vultr.guest
vultr.guest
vultr.guest
Country
2018-07-06
2018-07-06
2018-07-06
2018-07-06
IP Address
8.8.8.8
Dst port
177
4112
4112
22
Protocol
UDP
TCP
TCP
TCP

之后类似，安装p0f、ElasticHoney、Amun、Dionaea等

获取流量监控如下

2
3
4
5
6
7
8
C 095. 179. 164.233
/ui/attacks/
book Imported
Search Filters
Sensor
Date
2018-07-06 03:0559
2018-07-06 03:0559
2018-07-06 03:0558
2018-07-06 03:0557
2018-07-06 03:0556
2018-07-06 03:0556
2018-07-06 03:0555
2018-07-06 03:0555
Honeypot
Country
Date
MM-DD-YYYY
src IP
42.118.162.28
42.118.162.28
115.238.245.14
42.118.162.28
42.118.162.28
42.118.162.28
42.118.162.28
42.118.162.28
port
445
Sensor
vultr.guest
vultr.guest
vultr.guest
vultr.guest
vultr.guest
vultr.guest
vultr.guest
vultr.guest
IP Address
8.8.8.8
Dst port
445
445
22
445
445
445
445
445
Protocol
microsoft-ds
microsoft-ds
pcap
microsoft-ds
microsoft-ds
microsoft-ds
microsoft-ds
microsoft-ds
Honeypot
amun
amun
pOf
amun
amun
amun
amun
amun

攻击效果图示

图中的红点点就是攻击源

对其中一个攻击ip进行查询，显示为失陷网络

令
C 安 全 》 https 丿 丿 lahs ． i 卩 i № ti’s 卩 c 凵 ritYi’i 的 ？ i 伊 ： 122 ． 22 吓 7
应 用 0 book 0 Imported
’ 《 剜 P
苜 页
广 品 中 心
查 询
技 术 支 持
客 户
关 于
工 具
豐 录
汪 册
English
IP
地 理 位 置
122 ． 226 ． 18 凵 67
经 纬 度 （ Lng ， L 叫
所 有 者
当 前 行 为
历 史 行 为
中 国 浙 江 台 州
12L428599 ， 2 & 661378
IDC
恶 意 软 件 网 络 攻 壬
枳 器 人 1 碧 尸 网 络 失 陷 王 枳
枳 器 人
blocklist ： 20180206 ：
1 碧 尸 网 络
iblocklist ： 20180206 ：
恶 意 软 件
f 亓 eh ： 2018D7D3 ．
网 络 攻 壬
rutge 吓 ： 20180705 ：
失 陷 王 枳
emergingthreats ： 20180322 ：

攻击图示

TOP 5 Attacked
ports:
1. 445 (100 times)
2. 22 (23 times)
3. 80 (7 times)
4. 5578 (3 times)
5. 7034 (2 times)
TOP 5 Honey Pots:
1. amun (92 attacks)
2. pOf (33 attacks)
3. snort (20 attacks)
4. dionaea (1 attacks)
TOP 5 Sensors:
1. vultr.guest (92 attacks)

Payload图示

MHN Server
Map
Deploy
Attacks
Payloads
Rules
Sensors
Charts
Payloads Report
Regex Term
pcre regex
Settings
signature
ET SCAN potential SSH scan
ET DROP Dshield Block Listed Source group 1
ET DROP Dshield Block Listed Source group 1
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 6
ET SCAN potential SSH scan
ET DROP Dshield Block Listed Source group 1
Log Out
date
sensor
8da414d6-80c8-11e8-9d18-56000192bfa6
8da414d6-80c8-11e8-9d18-56000192bfa6
8da414d6-80c8-11e8-9d18-56000192bfa6
8da414d6-80c8-11e8-9d18-56000192bfa6
8da414d6-80c8-11e8-9d18-56000192bfa6
8da414d6-80c8-11e8-9d18-56000192bfa6
Search Filters
Payload
snort. alerts
source_lp
193.201.224.236
196.52.43.128
5.188.207.45
5.188.207.45
193.201.224.236
92.63.193.154
destination_port
22
5901
5578
5578
22
7034
priority
2
2
2
2
2
2
classification
4
30
30
30
4
30

注意：

如果要安装http类的蜜罐，记得要更改端口，如Shockpot Sinkhole

/ C 0 95. 179. 164.
book Imported
Deploy Script
Name
Ubuntu
Script
- Shockpot Sinkhole
pip install -r requirements. txt
cat > shockpot . conf<