Table of contents
0.1, the definition of honeypot
0.3. Honeypots and intelligence
1.4. Common honeypot scenarios
2.1. Environmental requirements
2.2, network environment, one-click installation
0. What is a honeypot
0.1, the definition of honeypot
Honeypot technology is essentially a technology to deceive the attacker . By arranging some hosts , network services or information as bait , the attacker is induced to attack them, so that the attack behavior can be captured and analyzed , and the attack behavior can be understood. The tools and methods used by the party, and the attack intention and motivation can be speculated, so that the defense party can clearly understand the security threats they face, and enhance the security protection capabilities of the actual system through technical and management means.
0.2. Advantages of honeypots
Fewer false alarms and accurate alarms
As a " shadow " of normal business, honeypots confuse in the network and should not be touched under normal circumstances. Every touch can be regarded as a threat. For example, in other detection products, false positives that misjudge normal requests as attack behaviors are very common, but for honeypots, there are almost no normal requests , and even if there are, they are detection behaviors.
In-depth detection and rich information
Different from other detection-based security products, honeypots can simulate business services and even respond to attacks , completely obtain all content of the entire interaction, and obtain N steps after the attacker's detection behavior in the greatest depth, with more detection points and information volume bigger.
For example, for SSL encryption or industrial control environments , honeypots can easily pretend to be services and obtain complete attack data.
Active defense, foreseeing the future, producing intelligence
In every enterprise, such a scenario occurs almost every minute: an attacker lurking in the corner of the Internet initiates an attack detection, the defender’s business has no security loopholes, and the IDS alerts the matter to nothing.
However, after applying the honeypot-type products, it is converted into an active defense idea : the honeypot responds to the attack detection, tricks the attacker into thinking that there is a loophole, and then sends more instructions, including downloading a Trojan horse program from a remote address, all of which are not only completely After recording, it can also be converted into threat intelligence to provide traditional detection equipment for accurate detection of host compromise at some point in the future.
It can be found that after switching to the idea of active protection, threat detection has risen from targeting single and variable attacks to applying threat intelligence and even TTPs (Tactics, Techniques, and Procedures) detection .
*Indicators of Compromise (IOC)
Less environmental dependence, broaden horizons
Because it is an integrated security product, the honeypot does not need to change the existing network structure, and many honeypots are in the form of software, which is very friendly to various virtual and cloud environments, and the deployment cost is low. Honeypots can be widely deployed in the cloud and in the downstream peripheral network of access switches . As a lightweight probe , the alarms are aggregated into situational awareness or traditional detection equipment for analysis and display.
0.3. Honeypots and intelligence
It is obvious that honeypots are very accurate, stable and appropriate intelligence-aware probes . The greatest value of honeypots is to lure attackers to demonstrate their capabilities and assets . Coupled with a series of advantages such as fewer false positives and rich information, it can stably produce private threat intelligence with situational awareness or local intelligence platforms.
1. Introduction to HFish
1.1. Design concept
HFish is a community-based free honeypot that focuses on enterprise security scenarios. Starting from the three scenarios of internal network breach detection, external network threat perception, and threat intelligence production, it provides users with independently operable and practical functions. Through security, agility, Reliable low-to-medium interaction honeypots increase user capabilities in the areas of breach awareness and threat intelligence.
HFish has more than 40 honeypot environments, provides free cloud honeynet, highly customizable honeybait capability, one-click deployment, cross-platform multi-architecture, domestic operating system and CPU support, extremely low performance requirements, mail/syslog /webhook/enterprise WeChat/DingTalk/Feishu alarm and many other features help users reduce operation and maintenance costs and improve operational efficiency.
1.2, HFish architecture
HFish adopts B/S architecture. The system is composed of a management terminal and a node terminal. The management terminal is used to generate and manage the node terminal, and receive, analyze and display the data returned by the node terminal. The node terminal accepts the control of the management terminal and is responsible for building a honeypot. Serve.
In HFish, the management end is only used for data analysis and display , and the node end is used for virtual honeypots , and finally the honeypots bear the attack .
In the case of minimal testing, you can directly test the honeypot service by installing the management terminal and the built-in node in the management terminal.
1.3. Features of HFish
HFish currently has the following features:
-
Safe and reliable: the main low-to-medium interaction honeypot is simple and effective;
-
Rich functions: support more than 40 kinds of honeypot services such as basic network services, OA system, CRM system, NAS storage system, Web server, operation and maintenance platform, wireless AP, switch/router, mail system, IoT device, etc., and support users to make custom Web honeypot, which supports users to pull traffic to the cloud honeynet, switchable scanning perception capability, and supports customizable honeybait configuration;
-
Open and transparent: support for docking with Weibu Online X community API, five-way syslog output, support for email, DingTalk, WeChat, Feishu, and custom WebHook alarm output;
-
Quick management: supports batch deployment of a single installation package, supports batch modification of ports and services;
-
Cross-platform: Support Linux x32/x64/ARM, Windows x32/x64 platforms, domestic operating systems, Loongson, Haiguang, Phytium, Kunpeng, Tengyun, Zhaoxin hardware.
1.4. Common honeypot scenarios
2. Rapid deployment
2.1. Environmental requirements
Deployment hosts supported by HFish
HFish adopts B/S architecture. The system is composed of a management terminal and a node terminal. The management terminal is used to generate and manage the node terminal, and receive, analyze and display the data returned by the node terminal. The node terminal accepts the control of the management terminal and is responsible for building a honeypot. Serve.
| Windows | Linux X86 | |
|---|---|---|
| Management terminal (Server) | 64 bit support | 64 bit support |
| Node end (Client) | 64-bit and 32-bit supported | Supports 64-bit and 32-bit |
HFish intranet required configuration
Generally speaking, honeypots deployed on the internal network have lower performance requirements, while honeypots connected to the public network have greater performance requirements.
For the past test situation, we give two configurations. Note that if your honeypot is deployed on the Internet, it will suffer from large attack traffic. It is recommended to improve the configuration of the host.
| Management side | node end | |
|---|---|---|
| Recommended configuration | 2 cores 4g200G | 1 core 2g50G |
| minimum configuration | 1 core 2g100G | 1 core 1g50G |
注意:日志磁盘占用情况受攻击数量影响较大,建议管理端配置200G以上硬盘空间。
Configuration required for HFish external network (mysql database must be replaced)
Generally speaking, honeypots connected to the public network have greater performance requirements.
For the past test situation, we give two configurations. Note that if your honeypot is deployed on the Internet, it will suffer from large attack traffic. It is recommended to improve the configuration of the host.
| Management side (mysql database must be replaced) | node end | |
|---|---|---|
| Recommended configuration | Within 5 nodes, 4-core 8g200G. | 1 core 2g50G |
| minimum configuration | 2 cores 4g100G | 1 core 1g50G |
注意:日志磁盘占用情况受攻击数量影响较大,建议管理端配置200G以上硬盘空间。
Deployment permission requirements
Requirements for root permissions on the management side
-
If you use the install.sh script recommended by the official website to install, you need root privileges, and the installation directory will be located in the opt directory;
-
If you download the installation package and install it manually, if the SQLite database is used by default, the deployment and use of the management end does not require root privileges, but if you want to replace SQLite with MySQL data, root privileges are required for MySQL installation and configuration;
Requirements for root permissions on the node side
Node-side installation and operation do not require root privileges, but due to operating system restrictions, nodes running with non-root privileges cannot listen to ports lower than tcp/1024;
2.2, network environment, one-click installation
Special Note: Centos is our native development and main test system, we recommend you to use the Centos system for installation.
当前HFish启动后会有两个进程,其中"hfish"进程为管理进程,负责监测、拉起和升级蜜罐主程序,"管理端"进程为蜜罐主程序进程,其执行蜜罐软件程序。 Linux版本HFish管理端数据库及配置文件都存储在 /usr/share/hfish 目录下,重装时会自动读取目录下的配置和数据。
If your deployment environment is Linux and you can access the Internet. We have prepared a one-click deployment script for you to install and configure. Before using the one-click script, please configure the firewall first
Please enable 4433 and 4434 in the firewall, and confirm to return success (if the honeypot service needs to occupy other ports later, you can use the same command to open it.)
firewall-cmd --add-port=4433/tcp --permanent #(用于web界面启动)
firewall-cmd --add-port=4434/tcp --permanent #(用于节点与管理端通信)
firewall-cmd --reload
As root user, run the script below.
bash <(curl -sS -L https://hfish.net/webinstall.sh)
finish installation
登陆链接:https://[ip]:4433/web/
账号:admin
密码:HFish20212.3. Installation effect
This test is installed in a networked environment under Linux. For other environments, please refer to the official manual.
The test environment is my VPS.
Option 1, install and run HFish
Wait for the installation to complete.
After configuring the VPS firewall, you can open the management interface (note that everything after the url includes web)
Test it yourself using a SQLite database.
Change the password first, because it is deployed on the Internet.
After logging in, you can see the node status and attack status
3. Troubleshooting
3.1. Management problems
After the deployment of the management terminal is completed, the access to the web management page still cannot be opened
Solution:
1. Confirm that the browser access address is https://[server]:4433/web/, pay attention to the indispensable path of "/web/"
2. Confirm the running status of the management process and the opening of the TCP/4433 port. If it is abnormal, restart the management process
# 检查 hfish-server的进程是否运行正常
ps ax | grep ./hfish | grep -v grep
# 检查TCP/4433端口是否正常开放
ss -ntpl
3. Check whether the firewall is enabled on the management host, which makes it inaccessible at present. If necessary, consider turning off the firewall
#centos7 检查防火墙状态
systemctl status firewalld
#centos7 检查防火墙开放端口
firewall-cmd --list-ports
4. In the Linux environment, use the date command to confirm the accuracy of the system time
5. If there is no problem with the above, please provide us with the server and client logs
节点端日志在安装目录的logs文件夹内,文件名为client.log
Linux管理端日志在/usr/share/hfish/log文件夹内,文件名为server.log
Windows管理端日志在C:\Users\Public\hfish\log文件夹内,文件名为server.log
3.1. Node problem
Node status is red offline
Solution:
1. Check the network connectivity from the node to the management terminal. The following are some common situations
节点每60秒连接管理端的TCP/4434端口一次,180秒内连接不上即显示为离线。
刚完成部署或网络不稳定的时候会出现显示为离线。
通常情况,等待2~3分钟,如果节点恢复绿色在线,那蜜罐服务也会从绿色启用,变成绿色在线。
2. If it is confirmed that the network access is normal and the node is always offline on the management side, it is necessary to check the running status of the process on the node. If the process runs abnormally, you need to kill all associated processes, restart the process, and record the error log.
# 检查./client的进程是否运行正常
ps ax | grep -E 'services|./client' | grep -v grep
If there is no problem with the above, please provide us with the server and client logs
节点端日志在安装目录的logs目录内,文件名为client.log
Linux管理端日志在/usr/share/hfish/log文件夹内,文件名为server.log
Linux管理端日志在C:\Users\Public\hfish\log文件夹内,文件名为server.log
Linux节点端后台运行方案:
nohup .~/client >>nohup.out 2>&1 &
Linux开机自启动方案
echo 'nohup .~/client >>nohup.out 2>&1 &' >> /etc/rc.local
Linux定时任务方案
echo '* * * * * nohup .~/client >>nohup.out 2>&1 &' >> /var/spool/cron/crontabs/root
3.3. Honeypot service issues
Nodes are online, some honeypot services are online, and some honeypot services are offline
The reason for being offline can be confirmed by touching the question mark next to the status.
bind:address already in use solution:
This error is often due to port conflicts
这个问题常见默认22端口的SSH服务,刚启动client的时候服务在线,过了一会儿后服务离线。
使用ss -ntpl命令检查该蜜罐服务的端口是否被占用?如果被占用,建议修改该业务的默认端口。
Windows操作系统上,如果用户启用了tcp端口监听,大概率会发现TCP 135、139、445、3389端口冲突,
这是用于Windows默认占用了这些端口,不建议在Windows上监听TCP 135、139、445、3389端口。
Linux操作系统端口冲突解决方案:
lsof -i:[port]
kill [pin]
重新启用该端口的蜜罐
**After changing the service template, the new honeypot service cannot be accessed**
在HFish当前的产品结构中,管理端**永远不会**主动连接节点进行节点配置的变更。
管理端仅负责生成一个配置,等待节点每60秒尝试连接管理端拉取。
蜜罐服务被攻击的结果,会实时上报到管理端。=========================================================
Most of the above content refers to the official HFish documentation. This article is the introduction and installation, and the next article plans to update and use it in detail.